This requires more than just switching to HTTPS. The updates UI will also need to explain HTTPS failures in such a way that users don't seek insecure workarounds.
Windows updates are being subjected to MITM patches. Windows Update correctly fails to install them, but gives a vague error code. Googling for a solution to the problem leads people to a direct download that is not subject to the same security checking and can therefore be MITMed successfully. <http://www.leviathansecurity.com/blog/the-case-of-the- modified-binaries/> Discouraging people from bypassing HTTPS errors is a problem also faced by browser designers. <http://blog.johnath.com/2008/11/06/ssl-error-pages-in-firefox-31/> <http://webscripts.softpedia.com/blog/Chrome-s-New-SSL-Error-Pages-393600.shtml> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1186793 Title: Updating is over insecure connection To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1186793/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
